search

hashicorp / consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
https://www.hashicorp.com/
Mozilla Public License 2.0
4.74k stars 783 forks source link

Multiple CVEs reported by Trivy scan tool #1959

Open noorul opened 3 weeks ago

noorul commented 3 weeks ago 
usr/local/bin/consul-template (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

┌───────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├───────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-retryablehttp │ CVE-2024-6104  │ MEDIUM   │ fixed  │ v0.7.2            │ 0.7.7           │ go-retryablehttp: url might write sensitive information to   │
│                                       │                │          │        │                   │                 │ log file                                                     │
│                                       │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-6104                    │
├───────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                │ CVE-2024-24790 │ CRITICAL │        │ 1.22.3            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                                       │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│                                       │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                                       ├────────────────┼──────────┤        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2024-24789 │ MEDIUM   │        │                   │                 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│                                       │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
└───────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Looks like go version needs to be bumped

aswinkumarthulasiraman commented 3 weeks ago

Hello, Any update on upgrading these packages with Fix version? We are having issue with go-retryablehttp @v0.7.2